LightSpy, a malicious malware responsible for a recent watering hole attack on iOS users in Hong Kong, has been discovered to contain Android implant Core and 14 related plugins from 20 active servers. This attack, attributed to the state-sponsored group APT41, demonstrates the use of new and sophisticated techniques to target mobile users.
According to reports from Cyber Security News, LightSpy is a fully-featured modular surveillance toolset that utilizes various plugins for exfiltration of private and payment data. It specifically targets the private information of its victims and has been found to use the WeChat payment system to access payment data, monitor private communications, and carry out malicious activities.
The malware functions as a plugin and cannot run as a standalone application. The core of the malware performs all the necessary functions for the attack chain, including gathering device fingerprints, establishing connections with control servers, retrieving commands, and updating itself and the additional payload files, known as plugins.
Among the 14 plugins included in LightSpy, one of the most significant is the location module plugin, which is responsible for tracking the location of the victims. It can send snapshots of the current location or set up location tracking at specified intervals. This plugin is based on two location-tracking frameworks: Tencent location SDK and Baidu location SDK.
Another important plugin is the Soundrecord plugin, which records audio. It can start recording the microphone immediately or at specified intervals, and can also record incoming phone calls.
The Bill plugin is responsible for gathering information about the payment history of victims from WeChat Pay, including the last bill ID, bill type, transaction ID, date, and payment status.
ThreatFabric, a cybersecurity firm, has published a comprehensive report on LightSpy that provides detailed information about the threat vector, source code, analysis, and other pertinent information.
In order to protect themselves from vulnerabilities, users are advised to utilize Patch Manager Plus, which offers quick patching for over 850 third-party applications. By taking advantage of the free trial, users can ensure 100% security.
The discovery of the LightSpy malware and its use of sophisticated techniques to attack mobile users in Hong Kong highlights the ever-present cyber threats faced by individuals and organizations. It serves as a reminder of the importance of maintaining robust cybersecurity measures to protect against potential attacks.